long-term GPG signing key

Guus Sliepen guus at sliepen.eu.org
Sat Jan 14 16:50:35 EST 2006 

On Sat, Jan 14, 2006 at 12:30:25PM -0700, Anne & Lynn Wheeler wrote:

> Guus Sliepen wrote:
> > By default, GPG creates a signing key and an encryption key. The signing
> > key is used both for signing other keys (including self-signing your own
> > keys), and for signing documents (like emails). However, it is possible
> > to "split" the signing key into a master key that you only use to sign
> > other keys, and a key dedicated to signing documents. You can revoke the
> > latter key and create a new one whenever you want, the master key is
> > still valid. Also, when people sign your key, they sign your master key,
> > not the subkeys. The signatures you accumulated will also still be
> > valid. You can also keep the master key safely tucked away on an old
> > laptop that you keep in a safe, and only export the subkeys to your
> > workstation. That way the master key is very safe.

> as in previous post ... i assert that fundamental digital signature
> verification is an authentication operation
> http://www.garlic.com/~lynn/aadsm22.htm#5 long-term GPG signing keys
> 
> and doesn't (by itself) carry with it characteristics of human
> signature, read, understood, approves, agrees, and/or authorizes.

It depends on how it is used. For example, when I sent this email, I
typed in the passphrase of my PGP key, authorising GnuPG to create a
signature for this email. This comes very close to "human signing". I
read, understood, approve etc. with the contents of this email.

If assymetric cryptography is used to automatically sign a credit card
transaction without the user having to do more than click a button, then
I agree that in that situation, the digital signature is not the same as
a human signature.

[...]
> it is when you start equating private keys with certification and truth
> characteristics that you move into a completely different risk and
> threat domain.

I don't equate private keys with that. I do equate signatures made with
those keys with that.

> the other foray into embellishing private keys and digital signatures
> with human signature type characteristics was the non-repudiation
> activity. however, it is now commoningly accepted that to embellish
> digital signatures with non-repudiation attributes requires a whole lot
> of additional business processes ... not the simple operation of
> generating an authentication digital signature.
[...]
> the corollary is that digitally signed certificates and
> private keys embellished with certification and truth characteristics
> become less and less meaningful.

That is probably true, but in the mean time Travis still wants to know
how to create a PGP key with the properties he wishes for.

-- 
Met vriendelijke groet / with kind regards,
    Guus Sliepen <guus at sliepen.eu.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20060114/ac07753b/attachment.pgp>

More information about the cryptography mailing list